feat(pipeline): add sbom reporting with dependency track (!146) · Merge requests · catladder / catladder

Michael requested to merge feat/sbom-v2 into main Mar 28, 2023

Basic implementation of #25 (closed), replaces !145 (closed).

It creates a sbom jobs for each env and component in the verify stage.

Uses the Trivy scanner
When the build type is custom it can be customized or disabled
Supports Yarn workspaces, each component will upload a sbom with all workspace packages
Uploads to Dependency Track (DT) as project <customerName>-<appName>/<componentName> with release set to to <env>
- This means review environments will overwrite each other
Uploads to DT only after the deployment has succeeded, unless deployments are disabled

Not implemented:

Handling of DT_KEY. Manually configuring it as a GitLab group CI/CD variable should be good enough.
Disabling of the project in DT

Edited Mar 29, 2023 by Michael

feat(pipeline): add sbom reporting with dependency track